Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.
AnalysisAI
Local spoofing in Microsoft Office for Android lets an unauthorized attacker manipulate trust-affecting content or identity indicators after a user interacts with malicious input on the device. The CVSS 7.1 score reflects high confidentiality and integrity impact with no special privileges required, though the local attack vector and required user interaction limit remote exploitability. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Technical ContextAI
The flaw is rooted in CWE-284 (Improper Access Control), meaning Office for Android fails to correctly enforce restrictions on who can perform an action or what content can claim a given identity within the app. On Android, Office components typically rely on the platform's permission model, intent filters, content providers, and signed manifest data to mediate access between activities and documents. A CWE-284 weakness in this context generally indicates that an attacker-controlled component on the same device (another app, a crafted document, or a manipulated intent) is able to bypass intended access boundaries and present itself as something it is not - enabling the spoofing outcome called out by Microsoft. The lack of CPE data in NVD means specific affected build numbers must be retrieved directly from the Microsoft Security Response Center advisory.
RemediationAI
Patch available per vendor advisory - install the latest version of Microsoft Office for Android from the Google Play Store and consult the MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45649 for the exact fixed build numbers, which are not enumerated in the public NVD data. As compensating controls until updating, restrict Office for Android to managed-app deployment via Intune or another MDM so unknown apps cannot share intents/files with it, disable opening documents from untrusted sources, and instruct users not to interact with unexpected Office prompts originating from links or files received via messaging apps. Side effects: MDM-only deployment reduces user flexibility, and blocking external file opens will break legitimate workflows that rely on sharing documents from other apps.
Microsoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 2010 SP2, PowerPoint 2010 SP2, and Word 2010 SP2 all
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel for Mac 2011 and 2016, Office Compati
Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013; Office Web Apps 2010; Excel 2003 SP3, 2007 SP3, 2010 S
Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to exec
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011 and 2016, Office Compatibility Pack SP3, and Excel Viewer a
Stack-based buffer overflow in Microsoft Excel 2007 SP2 and SP3 and 2010 SP1; Office 2011 for Mac; Excel Viewer; and Off
Heap-based buffer overflow in Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Office 2008 and 2011 for Mac; an
Microsoft Excel 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Off
Heap-based buffer overflow in Microsoft Excel 2007 SP2 and SP3 and 2010 Gold and SP1, Excel Viewer, and Office Compatibi
Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2008 and 2011 for Mac; Excel Viewer; and Offic
Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Excel Viewer; and Office Compatibility Pack SP2 and SP3 allow
Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2008 for Mac; Excel Viewer; and Office Compati
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35693
GHSA-4363-fqg7-xrx3